Quantifiers Leonardo de Moura Microsoft Research Satisfiability - - PowerPoint PPT Presentation

Quantifiers

Leonardo de Moura Microsoft Research

Satisfiability

𝑏 > 𝑐 + 2, 𝑏 = 2𝑑 + 10, 𝑑 + 𝑐 ≤ 1000 𝑏 = 0, 𝑐 = −3, 𝑑 = −5

0 > −𝟒 + 2, 0 = 2 −𝟔 + 10, −𝟔 + (−𝟒) ≤ 1000

Model SAT

Quantifiers

∀𝑦 ∃𝑧 𝑦 > 0 ⟹ 𝑔 𝑦, 𝑧 = 0

Quantifiers

∀𝑦 ∃𝑧 𝑦 > 0 ⟹ 𝑔 𝑦, 𝑧 = 0 Universal

Quantifiers

∀𝑦 ∃𝑧 𝑦 > 0 ⟹ 𝑔 𝑦, 𝑧 = 0 Existential

Quantifiers

∀𝑦 ∃𝑧 𝑦 > 0 ⟹ 𝑔 𝑦, 𝑧 = 0

A Model 𝑔 is the constant function 0

Quantifiers

∀𝑦 ∃𝑧 𝑦 > 0 ⟹ 𝑔 𝑦, 𝑧 = 0

Another Model 𝑔 is the polynomial 𝑧2 − 𝑦

Verification Tools need Quantifiers

Modeling the Runtime

 h,o,f: IsHeap(h)  o ≠ null  read(h, o, alloc) = t  read(h,o, f) = null  read(h, read(h,o,f),alloc) =

Verification Tools need Quantifiers

Frame Axioms  o, f:

• ≠ null  read(h0, o, alloc) = t 

read(h1,o,f) = read(h0,o,f)  (o,f)  M

Verification Tools need Quantifiers

User provided assertions  i,j: i  j  read(a,i)  read(b,j)

Verification Tools need Quantifiers

Extra Theories

 x: p(x,x)  x,y,z: p(x,y), p(y,z)  p(x,z)  x,y: p(x,y), p(y,x)  x = y

Verification Tools need Quantifiers

Main Challenge Solver must be fast is satisfiable instances

Verifying Compilers

Annotated Program Verification Condition F

pre/post conditions invariants and other annotations

Verification Condition: Structure

BIG and-or tree (ground)  Axioms (non-ground) Control & Data Flow

VCC: Verifying C Compiler

BAD NEWS

First-order logic (FOL) is semi-decidable Quantifiers + EUF

BAD NEWS

FOL + Linear Integer Arithmetic is undecidable Quantifiers + EUF + LIA

Hypervisor

Hardware Hypervisor

Challenges:

VCs have several Megabytes Thousands universal quantifiers Developers are willing at most 5 min per VC

Verification Attempt Time vs. Satisfaction and Productivity

NNF: Negation Normal Form

NNF: Negation Normal Form

Skolemization

Skolemization

 - Many Approaches

Heuristic quantifier instantiation SMT + Saturation provers

Complete quantifier instantiation Decidable fragments

Model based quantifier instantiation

Quantifier Elimination

Heuristic Quantifier Instantiation

E-matching (matching modulo equalities). Example:

 x: f(g(x)) = x { f(g(x)) }

a = g(b), b = c, f(a)  c

Pattern/Trigger

Heuristic Quantifier Instantiation

E-matching (matching modulo equalities). Example:

 x: f(g(x)) = x { f(g(x)) }

a = g(b), b = c, f(a)  c

x=b

f(g(b)) = b

E-matching problem

E-matching Challenge

Number of matches can be exponential It is not refutationally complete The real challenge is finding new matches: Incrementally during backtracking search Large database of patterns

EUF Solver: Review

EUF Solver: Review

EUF Solver: Review

EUF Solver: Review

EUF Solver: Review

EUF Solver: Review

EUF Solver: Review

EUF Solver: Review

EUF Solver: Review

EUF Solver: Review

E-matching

E-matching: Example

E-matching: Example

E-matching: Example

E-matching: Example

E-matching: Example

E-matching: Example

E-matching: Example

E-matching: Example

E-matching: Example

E-matching: Example

E-matching: Example

E-matching: Example

E-matching: Example

E-matching: Example

E-matching: Example

E-matching: Example

E-matching: Example

Efficient E-matching

Problem Indexing Technique Fast retrieval E-matching code trees Incremental E-Matching Inverted path index

E-matching: code trees

Trigger: f(x1, g(x1, a), h(x2), b) Instructions:

• 1. init(f, 2)
• 2. check(r4, b, 3)
• 3. bind(r2, g, r5, 4)
• 4. compare(r1, r5, 5)
• 5. check(r6, a, 6)
• 6. bind(r3, h, r7, 7)
• 7. yield(r1, r7)

Compiler Similar triggers share several instructions. Combine code sequences in a code tree

E-matching limitations

E-matching needs ground seeds. x: p(x), x: not p(x)

E-matching limitations

Bad user provided triggers: x: f(g(x))=x { f(g(x)) } g(a) = c, g(b) = c, a  b

Trigger is too restrictive

E-matching limitations

Bad user provided triggers: x: f(g(x))=x { g(x) } g(a) = c, g(b) = c, a  b

More “liberal” trigger

E-matching limitations

Bad user provided triggers: x: f(g(x))=x { g(x) } g(a) = c, g(b) = c, a  b, f(g(a)) = a, f(g(b)) = b a=b

E-matching limitations

It is not refutationally complete

False positives

E-matching: why do we use it?

Integrates smoothly with current SMT Solvers design. Proof finding. Software verification problems are big & shallow.

Decidable Fragments & Complete Quantifier Instatiation

 + theories

There is no sound and refutationally complete procedure for linear arithmetic + unintepreted function symbols

Model Generation

How to represent the model of satisfiable formulas? Functor: Given a model M for T Generate a model M’ for F (modulo T) Example:

F: f(a) = 0 and a > b and f(b) > f(a) + 1

Symbol Interpretation a 1 b f ite(x=1, 0, 2) M’:

Model Generation

How to represent the model of satisfiable formulas? Functor: Given a model M for T Generate a model M’ for F (modulo T) Example:

F: f(a) = 0 and a > b and f(b) > f(a) + 1

Symbol Interpretation a 1 b f ite(x=1, 0, 2) M’:

Interpretation is given using T-symbols

Model Generation

How to represent the model of satisfiable formulas? Functor: Given a model M for T Generate a model M’ for F (modulo T) Example:

F: f(a) = 0 and a > b and f(b) > f(a) + 1

Symbol Interpretation a 1 b f ite(x=1, 0, 2) M’:

Non ground term (lambda expression)

Models as Functional Programs

Model Checking

Symbol Interpretation a 1 b f ite(x=1, 0, 2) M’:

Is x: f(x) ≥ 0 satisfied by M’? Yes, not (ite(k=1,0,2) ≥ 0) is unsatisfiable

Model Checking

Symbol Interpretation a 1 b f ite(x=1, 0, 2) M’:

Is x: f(x) ≥ 0 satisfied by M’? Yes, not (ite(k=1,0,2) ≥ 0) is unsatisfiable Negated quantifier Replaced f by its interpretation Replaced x by fresh constant k

Essentially uninterpreted fragment

Variables appear only as arguments of uninterpreted symbols.

f(g(x1) + a) < g(x1)  h(f(x1), x2) = 0 f(x1+x2)  f(x1) + f(x2)

Basic Idea

Given a set of formulas F, build an equisatisfiable set of quantifier-free formulas F* Suppose

1.

We have a clause C[f(x)] containing f(x).

2.

We have f(t).  Instantiate x with t: C[f(t)]. “Domain” of f is the set of ground terms Af t  Af if there is a ground term f(t)

Example

g(x1, x2) = 0  h(x2) = 0, g(f(x1),b) + 1  f(x1), h(c) = 1, f(a) = 0 F F*

Example

g(x1, x2) = 0  h(x2) = 0, g(f(x1),b) + 1  f(x1), h(c) = 1, f(a) = 0 F F* h(c) = 1, f(a) = 0 Copy quantifier-free formulas “Domains”: Af: { a } Ag: { } Ah: { c }

Example

g(x1, x2) = 0  h(x2) = 0, g(f(x1),b) + 1  f(x1), h(c) = 1, f(a) = 0 F F* h(c) = 1, f(a) = 0, “Domains”: Af : { a } Ag : { } Ah : { c }

Example

g(x1, x2) = 0  h(x2) = 0, g(f(x1),b) + 1  f(x1), h(c) = 1, f(a) = 0 F F* h(c) = 1, f(a) = 0, g(f(a),b) + 1  f(a) “Domains”: Af : { a } Ag : { [f(a), b] } Ah : { c }

Example

g(x1, x2) = 0  h(x2) = 0, g(f(x1),b) + 1  f(x1), h(c) = 1, f(a) = 0 F F* h(c) = 1, f(a) = 0, g(f(a),b) + 1  f(a), “Domains”: Af : { a } Ag : { [f(a), b] } Ah : { c }

Example

g(x1, x2) = 0  h(x2) = 0, g(f(x1),b) + 1  f(x1), h(c) = 1, f(a) = 0 F F* h(c) = 1, f(a) = 0, g(f(a),b) + 1  f(a), g(f(a), b) = 0  h(b) = 0 “Domains”: Af : { a } Ag : { [f(a), b] } Ah : { c, b }

Example

g(x1, x2) = 0  h(x2) = 0, g(f(x1),b) + 1  f(x1), h(c) = 1, f(a) = 0 F F* h(c) = 1, f(a) = 0, g(f(a),b) + 1  f(a), g(f(a), b) = 0  h(b) = 0 “Domains”: Af : { a } Ag : { [f(a), b]} Ah : { c, b }

Example

g(x1, x2) = 0  h(x2) = 0, g(f(x1),b) + 1  f(x1), h(c) = 1, f(a) = 0 F F* h(c) = 1, f(a) = 0, g(f(a),b) + 1  f(a), g(f(a), b) = 0  h(b) = 0, g(f(a), c) = 0  h(c) = 0 “Domains”: Af : { a } Ag : { [f(a), b], [f(a), c] } Ah : { c, b }

Example

g(x1, x2) = 0  h(x2) = 0, g(f(x1),b) + 1  f(x1), h(c) = 1, f(a) = 0 F F* h(c) = 1, f(a) = 0, g(f(a),b) + 1  f(a), g(f(a), b) = 0  h(b) = 0, g(f(a), c) = 0  h(c) = 0 a  2, b  2, c  3 f  { 2  0, …} h  { 2  0, 3  1, …} g  { [0,2] -1, [0,3] 0, …} M

Basic Idea

Given a model M for F*, Build a model M for F Define a projection function f s.t. range of f is M(Af), and f (v) = v if v  M(Af) Then, M(f)(v) = M(f)(f(v))

Basic Idea

M(Af) M(f(Af)) M(Af) M(f(Af))

M(f)

M(Af)

f M(f) M(f)

Basic Idea

Given a model M for F*, Build a model M for F In our example, we have: h(b) and h(c)

 Ah = { b, c }, and M(Ah) = { 2, 3 }

h = { 2  2, 3  3, else  3 } M(h) { 2  0, 3  1, …} M(h) { 2  0, 3  1, else  1} M(h) = x. if(x=2, 0, 1)

Example

g(x1, x2) = 0  h(x2) = 0, g(f(x1),b) + 1  f(x1), h(c) = 1, f(a) = 0 F F* h(c) = 1, f(a) = 0, g(f(a),b) + 1  f(a), g(f(a), b) = 0  h(b) = 0, g(f(a), c) = 0  h(c) = 0 M a  2, b  2, c  3 f  x. 2 h  x. if(x=2, 0, 1) g  x,y. if(x=0y=2,-1, 0) M a  2, b  2, c  3 f  { 2  0, …} h  { 2  0, 3  1, …} g  { [0,2] -1, [0,3] 0, …}

Example : Model Checking

M a  2, b  2, c  3 f  x. 2 h  x. if(x=2, 0, 1) g  x,y. if(x=0y=2,-1, 0) x1, x2: if(x1=0x2=2,-1,0) = 0  if(x2=2,0,1) = 0 is valid Does M satisfies? x1, x2 : g(x1, x2) = 0  h(x2) = 0 x1, x2: if(x1=0x2=2,-1,0)  0  if(x2=2,0,1)  0 is unsat if(s1=0s2=2,-1,0)  0  if(s2=2,0,1)  0 is unsat

Why does it work?

Suppose M does not satisfy C[f(x)]. Then for some value v, M{x v} falsifies C[f(x)]. M{x f(v)} also falsifies C[f(x)]. But, there is a term t  Af s.t. M(t) = f(v) Moreover, we instantiated C[f(x)] with t. So, M must not satisfy C[f(t)]. Contradiction: M is a model for F*.

Refinement: Lazy construction

F* may be very big (or infinite). Lazy-construction

Build F* incrementally, F* is the limit of the sequence F0  F1  …  Fk  … If Fk is unsat then F is unsat. If Fk is sat, then build (candidate) M If M satisfies all quantifiers in F then return sat.

Refinement: Model-based instantiation

Suppose M does not satisfy a clause C[f(x)] in F.

Add an instance C[f(t)] which “blocks” this spurious model. Issue: how to find t? Use model checking, and the “inverse” mapping f

• 1 from values to terms (in Af).

f

• 1(v) = t if M(t) = f(v)

Example: Model-based instantiation

F x1: f(x1) < 0, f(a) = 1, f(b) = -1 F0 f(a) = 1, f(b) = -1 M a2, b3 f x. if(x = 2, 1, -1) Model Checking x1: f(x1) < 0 not if(s1= 2, 1, -1) < 0 s1 2

f

• 1(2) = a

F1 f(a) = 1, f(b) = -1 f(a) < 0 unsat

Infinite F*

Is refutationally complete? FOL Compactness

A set of sentences is unsatisfiable iff it contains an unsatisfiable finite subset.

A theory T is a set of sentences, then apply compactness to F*T

Infinite F*

𝑈𝑎 𝐺∗

∪

Infinite set of first-order sentences

Applying COMPACTNESS

Finite 𝑇

Infinite F* : Example

F x1: f(x1) < f(f(x1)), x1: f(x1) < a, 1 < f(0). F* f(0) < f(f(0)), f(f(0)) < f(f(f(0))), … f(0) < a, f(f(0)) < a, … 1 < f(0) Every finite subset

• f F* is satisfiable.

Unsatisfiable

Infinite F* : What is wrong?

Theory of linear arithmetic TZ is the set of all first-order sentences that are true in the standard structure Z. Tz has non-standard models. F and F* are satisfiable in a non-standard model. Alternative: a theory is a class of structures. Compactness does not hold. F and F* are still equisatisfiable.

Extensions

Shifting

• (0  x1)  (x1  n)  f(x1) = g(x1+2)

Extensions

Many-sorted logic Pseudo-Macros 0  g(x1)  f(g(x1)) = x1, 0  g(x1)  h(g(x1)) = 2x1, g(a) < 0

Extensions

Online tutorial at: http://rise4fun.com/z3/tutorial

Extensions

Online tutorial at: http://rise4fun.com/z3/tutorial

Related work

Bernays-Schönfinkel class. Stratified Many-Sorted Logic. Array Property Fragment. Local theory extensions.

SMT + Saturation

CDCL/DPLL : Review

M | F

Partial model Set of clauses

CDCL/DPLL : Review

Guessing

p, q | p  q, q  r p | p  q, q  r

CDCL/DPLL : Review

Deducing

p, s| p  q, p  s p | p  q, p  s

CDCL/DPLL : Review

Backtracking

p, s| p  q, s  q, p q p, s, q | p  q, s  q, p q

DPLL()

Tight integration: DPLL + Saturation solver.

BIG and-or tree (ground) Axioms (non-ground)

DPLL()

Inference rule: DPLL() is parametric.

Examples:

Resolution Superposition calculus …

DPLL()

M | F

Partial model Set of clauses

DPLL() : Deduce I

p(a) | p(a)q(a), x: p(x)r(x), x: p(x)s(x)

DPLL() : Deduce I

p(a) | p(a)q(a), p(x)r(x), p(x)s(x)

DPLL() : Deduce I

p(a) | p(a)q(a), p(x)r(x), p(x)s(x) p(a) | p(a)q(a), p(x)r(x), p(x)s(x), r(x)s(x) Resolution

DPLL() : Deduce II

Using ground atoms from M:

M | F

Main issue: backtracking. Hypothetical clauses: H  C

(regular) Clause (hypothesis) Ground literals Track literals from M used to derive C

DPLL() : Deduce II

p(a) | p(a)q(a), p(x)r(x) p(a) | p(a)q(a), p(x)r(x), p(a)r(a) p(a), p(x)r(x) r(a)

DPLL() : Backtracking

p(a), r(a) | p(a)q(a), p(a)r(a), p(a)r(a), …

DPLL() : Backtracking

p(a), r(a) | p(a)q(a), p(a)r(a), p(a)r(a), … p(a) is removed from M

• p(a) | p(a)q(a), p(a)r(a), …

DPLL() : Improvement

Saturation solver ignores non-unit ground clauses.

p(a) | p(a)q(a), p(x)r(x)

DPLL() : Improvement

Saturation solver ignores non-unit ground clauses. It is still refutanionally complete if:

 has the reduction property.

BIG and-or tree (ground) Axioms (non-ground)

DPLL() : Improvement

DPLL + Theories Saturation Solver

Saturation solver ignores non-unit ground clauses. It is still refutanionally complete if:

 has the reduction property. Ground literals Ground clauses

DPLL() : Problem

Interpreted symtbols

• (f(a) > 2), f(x) > 5

It is refutationally complete if Interpreted symbols only occur in ground clauses Non ground clauses are variable inactive “Good” ordering is used

Summary

E-matching proof finding fast shallow proofs in big formulas not refutationally complete regularly solves VCs with more than 5 Mb

Summary

Complete instantiation + MBQI decides several useful fragments model & proof finding slow complements E-matching

Summary

SMT + Saturation refutationally complete for pure first-order proof finding slow

Not covered

Quantifier elimination Fourier-Motzkin (Linear Real Arithmetic) Cooper (Linear Integer Arithmetic) CAD (Nonlinear Real Arithmetic) Algebraic Datatypes (Hodges) Finite model finding Many Decidable Fragments

Challenge

New and efficient procedures capable of producing models for satisfiable instances.